yAxis contest - defsec's results

The trusted #DeFi platform to earn reliable returns on digital assets.

General Information

Platform: Code4rena

Start Date: 16/11/2021

Pot Size: $30,000 USDC

Total HM: 3

Participants: 18

Period: 3 days

Judge: leastwood

Total Solo HM: 2

Id: 56

League: ETH

yAxis

Findings Distribution

Researcher Performance

Rank: 6/18

Findings: 3

Award: $1,161.54

🌟 Selected for report: 2

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository yAxis

Findings Information

🌟 Selected for report: TimmyToes

Also found by: defsec

Labels

bug

duplicate

2 (Med Risk)

Awards

1014.5458 USDC - $1,014.55

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

During the manual code review, It has been observed that minting progress is not checked when the contract is emergency paused. This can cause misfunctionality and unlocking user funds during the emergency pausing.

Proof of Concept

1-) Navigate to "https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/Alchemist.sol#L611" contract. 2-) Observe the following code on the Alchemist.sol.

Functions mint

    function mint(uint256 _amount)
        external
        nonReentrant
        noContractAllowed
        onPriceCheck
        expectInitialized
    {
        CDP.Data storage _cdp = _cdps[msg.sender];
        _cdp.update(_ctx);

        uint256 _totalCredit = _cdp.totalCredit;

        if (_totalCredit < _amount) {
            uint256 _remainingAmount = _amount.sub(_totalCredit);

            if (borrowFee > 0) {
                uint256 _borrowFeeAmount = _remainingAmount.mul(borrowFee).div(
                    PERCENT_RESOLUTION
                );
                _cdp.totalDebt = _cdp.totalDebt.add(_borrowFeeAmount);
                xtoken.mint(rewards, _borrowFeeAmount);
            }
            _cdp.totalDebt = _cdp.totalDebt.add(_remainingAmount);
            _cdp.totalCredit = 0;

            _cdp.checkHealth(_ctx, 'Alchemist: Loan-to-value ratio breached');
        } else {
            _cdp.totalCredit = _totalCredit.sub(_amount);
        }

        xtoken.mint(msg.sender, _amount);
        if (_amount >= flushActivator) {
            flushActiveVault();
        }
    }

Tools Used

None

Recommended Mitigation Steps

Implement the the following require statement into the functions. Only withdraw functions should be allowed on the contract.

       require(!emergencyExit, 'emergency pause enabled');

#0 - Xuefeng-Zhu
2021-12-09T06:41:08Z

https://github.com/code-423n4/2021-11-yaxis-findings/issues/12

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Auditors

Browse

Contests

Browse

Get in touch

Contact Twitter

Findings Information

🌟 Selected for report: defsec

Also found by: WatchPug

Labels

bug

G (Gas Optimization)

resolved

sponsor acknowledged

Awards

21.2967 USDC - $21.30

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

Hardhat console is an unnecessary import in all contracts since it is used solely for development. It can therefore be removed.

Proof of Concept

Navigate to the following contracts.

"https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/Alchemist.sol#L2" "https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/adapters/YaxisVaultAdapter.sol#L2"

Tools Used

None

Recommended Mitigation Steps

Remove import "hardhat/console.sol";

#0 - Xuefeng-Zhu
2021-11-23T17:46:03Z

does not impact deployed code

Findings Information

🌟 Selected for report: hack3r-0m

Also found by: defsec

Labels

bug

duplicate

G (Gas Optimization)

sponsor confirmed

Awards

21.2967 USDC - $21.30

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

This does not directly impact the smart contract in anyway besides cost. This is a gas optimization to reduce cost of smart contract. Calling each function, we can see that the public function uses 496 gas, while the external function uses only 261.

Proof of Concept

According to Slither Analyzer documentation (https://github.com/crytic/slither/wiki/Detector-Documentation#public-function-that-could-be-declared-external), there are functions in the contract that are never called. These functions should be declared as external in order to save gas.

Slither Detector:

external-function:

https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/Transmuter.sol#L349

https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/Transmuter.sol#L341

https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/Transmuter.sol#L332

Tools Used

Slither

Recommended Mitigation Steps

Get Smart Contracts from the Repository.
Create a python virtual environment with a stable python version.
Install Slither Analyzer on the python VEM.
Run Slither against all contracts.
Define public functions as an external for the gas optimization.

#0 - 0xleastwood
2021-12-21T05:09:01Z

Duplicate of #119

Findings Information

🌟 Selected for report: defsec

Labels

bug

G (Gas Optimization)

sponsor acknowledged

fix later

Awards

47.3259 USDC - $47.33

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

## Impact

Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks are available for free.

The advantages of versions 0.8.* over <0.8.0 are:

Safemath by default from 0.8.0 (can be more gas efficient than library based safemath.)
Low level inliner : from 0.8.2, leads to cheaper runtime gas. Especially relevant when the contract has small functions. For example, OpenZeppelin libraries typically have a lot of small helper functions and if they are not inlined, they cost an additional 20 to 40 gas because of 2 extra jump instructions and additional stack operations needed for function calls.
Optimizer improvements in packed structs: Before 0.8.3, storing packed structs, in some cases used an additional storage read operation. After EIP-2929, if the slot was already cold, this means unnecessary stack operations and extra deploy time costs. However, if the slot was already warm, this means additional cost of 100 gas alongside the same unnecessary stack operations and extra deploy time costs.
Custom errors from 0.8.4, leads to cheaper deploy time cost and run time cost. Note: the run time cost is only relevant when the revert condition is met. In short, replace revert strings by custom errors.

Proof of Concept

The contest repository contracts contain pragma 0.6.12^. The contracts pragma version should be updated to 0.8.4.

Tools Used

None

Recommended Mitigation Steps

Consider to upgrade pragma to at least 0.8.4.

Findings Information

🌟 Selected for report: TimmyToes

Also found by: WatchPug, defsec, gzeon, hubble, pauliax, ye0lde

Labels

bug

duplicate

1 (Low Risk)

Awards

57.0552 USDC - $57.06

External Links

Link to GitHub issue

Handle

defsec

Vulnerability details

Impact

The Alchemist.setBorrowFee function emits the HarvestFeeUpdated event but should emit BorrowFeeUpdated instead. SetBorrowFee can be understood as that never happened which could lead to serious issues when something like an accounting app uses this data.

Proof of Concept

Navigate to the following contract. (https://github.com/code-423n4/2021-11-yaxis/blob/main/contracts/v3/alchemix/Alchemist.sol#L299)

    function setBorrowFee(uint256 _borrowFee) external onlyGov {
        // Check that the borrow fee is within the acceptable range. Setting the borrow fee greater than 100% could
        // potentially break internal logic when calculating the borrow fee.
        require(_borrowFee <= PERCENT_RESOLUTION, 'Alchemist: borrow fee above maximum.');

        borrowFee = _borrowFee;

        emit HarvestFeeUpdated(_borrowFee);
    }

HarvestFeeUpdated event is emitted on the function.

Tools Used

Code Review

Recommended Mitigation Steps

Emit the correct event. (BorrowFeeUpdated)

#0 - Xuefeng-Zhu
2021-12-09T06:10:02Z

https://github.com/code-423n4/2021-11-yaxis-findings/issues/7

yAxis contest - defsec's results

The trusted #DeFi platform to earn reliable returns on digital assets.

General Information

Findings Distribution

Researcher Performance

External Links

[M-01] Missing Emergency Pause Check - $1,014.55

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Xuefeng-Zhu2021-12-09T06:41:08Z

QA Report - $57.06

Gas Report - $89.93

QA Report - $57.06

Gas Report - $89.93

🌟 [G-09] Redundant Import - $21.30

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Xuefeng-Zhu2021-11-23T17:46:03Z

[G-13] Gas Optimization on the Public Functions - $21.30

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - 0xleastwood2021-12-21T05:09:01Z

🚀 [G-08] Upgrade pragma to at least 0.8.4 - $47.33

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Proof of Concept

Tools Used

Recommended Mitigation Steps

[L-10] Wrong Event Emitted For The SetBorrowFee Function - $57.06

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Xuefeng-Zhu2021-12-09T06:10:02Z

#0 - Xuefeng-Zhu
2021-12-09T06:41:08Z

#0 - Xuefeng-Zhu
2021-11-23T17:46:03Z

#0 - 0xleastwood
2021-12-21T05:09:01Z

#0 - Xuefeng-Zhu
2021-12-09T06:10:02Z